Roberto Franceschetti wrote: > I'm having some issues authenticating iOS clients (with FreeRADIUS v2.1.10 > installed on a Ubuntu server) with EAP-TLS when the username contains a > domain name in the form of Domain\Username (the account is in Active > Directory). > > I think the issue is caused by the fact that the final Access-Accept reply > has the backslash after the domain name escaped, so that the output looks > like this: > > Sending Access-Accept of id 171 to 172.27.28.84 port 32769 > User-Name = "ocg\\cmctrf3" > > instead of containing the original, un-escaped domain\username: > > Sending Access-Accept of id 171 to 172.27.28.84 port 32769 > User-Name = "ocg\cmctrf3"
No. The escaping is done when the string is *printed*. It sends just one '\' in the Access-Accept. Use wireshark to check. > Mine is just a theory, but I cannot verify it until I figure out how to have > the un-escaped ocg\cmctrf3 string being sent in the output instead of the > current escaped one. So my question is "how do I cause the User-Name to be > send un-escaped? Do I make a change in the clients.con file...? The eap.conf > file...? If so, under which section and where..? Sorry for what may look like > a dumb question, but I could not find this mentioned anywhere else. You don't "unescape" anything. The server sends the correct User-Name. It Does the Right Thing. > As a side-note, if I omit the domain name in the iOS device and just login > with the username "cmctrf3" for example, the iPhones/iPads are able to login > without problems. The issue only occurs when the domain name appears before > escaped. All other devices (Windows and Mac desktops) seem to be able to get > past that escaped sequence without problems. So the issue is the domain name. NOT the escaping. You THINK it's the escaping, but you're not really sure. > Below is a blurb showing the debug output. I do see the un-escaped > ocg\cmctrf3 being logged, No. That's a debug message, which isn't logging, and doesn't affect anything. > Login OK: [ocg\\cmctrf3] (from client 172.27.28.84 port 29 cli > f0-cb-a1-2b-61-4d) > # Executing section post-auth from file /etc/freeradius/clients.conf > +- entering group post-auth {...} > ++[exec] returns noop > } # server lwap-clients > Sending Access-Accept of id 171 to 172.27.28.84 port 32769 > MS-MPPE-Recv-Key = > 0x15c9ba070e3579e43c54314c24e7e09f4753c779e4e013b4bbd080a2cab4bbb2 > MS-MPPE-Send-Key = > 0x4f27c90c8fdf27be122e70c2c4d82bebd65797dafebe2ebb4ca91bedfd244cb5 > EAP-Message = 0x030a0004 > Message-Authenticator = 0x00000000000000000000000000000000 > User-Name = "ocg\\cmctrf3" Well... if the server is sending Access-Accept and the user doesn't get online... nothing is going wrong with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html